[cabfpub] Notice of Certificate Issuance

Dean Coclin Dean_Coclin at symantec.com
Sun Nov 27 13:32:27 UTC 2016


On November 24, 2016 (Thanksgiving Day), an emergency situation arose
whereby mobile application users of Barclays Bank would no longer be able to
conduct transactions due to the pinning of an obsolete intermediate
certificate in the application. The bank, through its application provider
Axsy, urgently contacted Symantec to request a new certificate for
*.payliquid.com <http://payliquid.com/>  chained to the older intermediate
CA. Symantec determined while this was possible, it could only be
accomplished by issuing a certificate with a sequential serial number, in
violation of CA/B Forum Baseline Requirements Section 7.1. This certificate
issuance was issued from a legacy system that has since been replaced in
part because it only supported certificate issuance using sequential serial
numbers.

---------------------------

Background and options explored (from Barclays):

"The recent change to the intermediate certificate negatively impacted
Barclay's SSL pinning solution. As a result, connection to our mobile
application will fail for all users imminently. The only other option to fix
this issue is underway and requires us to modify our existing iOS and
Android mobile application code. This will take several weeks, including
security testing, app store submission, approval and rollout.  

Merchant and consumer impact:

Without this exception, the impact on Barclays would be severe and fall
mainly on its small and medium enterprise customers who utilise its payment
acceptance devices that link to the application that is referred to above. 

Several thousand SME customers mainly operating in the UK market would not
be able to transact in a key trading period from 8.30am 25/11/16 on 'Black
Friday' and into the festive trading period they rely on for their
businesses to survive. It would impact hundreds of thousands of consumer
payment transactions, until the application is updated and then released. It
would also result in major reputational damage to Barclays and its business
customers impacted."

-----------------------------

Due to the criticality of this issue and the major impact to consumers and
businesses on a significant holiday shopping period , Symantec issued the
replacement certificate on the evening of November 24th. This certificate
has a relatively short validity period and had been published in CT logs as
shown here:
https://crt.sh/?sha256=ADF3CF69897EF0F02549D27266D324D61AB5746AB6FAB0D89C122
616B68B7441

 

Dean Coclin
Symantec

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20161127/26830bd2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5723 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20161127/26830bd2/attachment-0001.bin>


More information about the Public mailing list